Does this work in the user's context, or another user or computer account?

[gordonfpanam]

I attempted to set this up as a self-service password changer for a domain, similar to the one built into Exchange 2013 and later. I had hoped this would sign into Active Directory as the user in the user name field, and then use the supplied password to sign in before changing it.

It appears this software actually signs in as another user, or even as the computer or IIS AppPool user, which by itself wouldn't have permissions to reset a password.

Does this software work by signing in to AD as the user and then changing the password, or does it sign in as another user to then reset the password? There's a significant difference, as I wanted folks to be able to change passwords before they expire, or if they expire.

[simonai1254]

Hi

In the Appconfig you have the possibility to define a user that should be used to execute the password changing operations. But in my installation I have it running without defining that user, and it works as well. As on the system I have no privileged user I assume the password is changed in the context of the user changing the password.

Hope this helps and best regards
Simon

[gordonfpanam]

I have it running without defining that user, and it works as well.

I'll have to check again then, as the security logs on my test domain's DC is only showing a successful sign-in of a test user from the PC running Passcore, but not a subsequent password change attempt.

Would you be comfortable sharing your configuration here, omitting / censoring your domain-specifics or anything else you consider sensitive? Please let me know.

[simonai1254]

Hi

My configuration is the default settings with following parameters changed:

{
  [ omitted ]
  "AppSettings": {
    // The following options for AD Provider (remove if you don't use this Provider)
    "UseAutomaticContext": true, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
    "RestrictedADGroups": [
      "Administrators",
      "Domain Admins",
      "Enterprise Admins"
    ], // Set the AD groups to restrict the use of PassCore
    "AllowedADGroups": [], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
    "IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
    "UpdateLastPassword": true, // Set true to allow PassCore to  update the last password timestamp
    // The following options are for LDAP Provider (remove if you don't use this Provider)
    "LdapSearchBase": "dc=domain,dc=tld",
    "LdapSecureSocketLayer": true, // Default for AD is true when using LDAPS 636
    "LdapStartTls": false, // Default for AD is true when using LDAP 389
    "LdapChangePasswordWithDelAdd": true,
    "LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
    // General options (valid for both providers)
    "LdapHostnames": [ 
	"dc1.domain.tld", 
	"dc2.domain.tld" 
    ], // Set your hostname(s)
    "LdapPort": 636, // Default for AD is 389, for LDAPS 636
    "LdapUsername": "", // Set the username or distinguish name (DN) to bind the LDAP server
    "LdapPassword": "", // Set the password for the username
    "DefaultDomain": "domain.tld" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
  },
  "ClientSettings": {
    "ValidationRegex": {
      "EmailRegex": "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$",
      "UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
    },
    "UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
    "MinimumDistance": 2, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
    "PasswordEntropy": 8, // the number of bytes of entropy to use for generated passwords
    "ShowPasswordMeter": true,
    "MinimumScore": 1, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
    [ omitted ]
  }
}

Please note that right now I'm running on v4.2.3 as I am in an environment where the passcore server has no internet access and I can't use the Have I been Pwned API, which bricks Passcore for the moment (see #605)

Hope this helps

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.